SRX Services Gateway
SRX Services Gateway

TLS on https didn't reply the hello from server.

‎03-18-2018 09:05 PM

I have a problem regarding to the connection for transit the https traffic. We've attempt do dump using PCAP by setting up the datapath-debug. The following are the result of PCAP.

tcpdump-tlsssl.jpegTCP dump, failed TLS.

At this point the source host send the hello packet to the server. But it seems the server didn't reply hello packet to the client. The following should be depicts of successful TLS connection.

tcpdump-success.jpeg

Is there something not configured on SRX?

6 REPLIES 6
SRX Services Gateway

Re: TLS on https didn't reply the hello from server.

‎03-19-2018 02:56 AM

Does the policy that permits the traffic have deep insprection or decryption enabled?

 

If so these may be doing something unexpected.  If not, then there is nothing the SRX is doing to the stream that would affect the transaction.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: TLS on https didn't reply the hello from server.

[ Edited ]
‎03-19-2018 03:48 PM

We have no SSL inspection enabled. Can you tell me how to check the decryption on SRX?

 

Please note, the following are the valid session regarding to my first post.The destination host might not the same due the source host randomizes the IP address based on their service.

validsessiontls.PNGvalid session on https and TLS

 

SRX Services Gateway
Solution
Accepted by topic author furqon
‎03-21-2018 05:06 PM

Re: TLS on https didn't reply the hello from server.

‎03-20-2018 03:14 AM

We can see if the content of the policy has any references to the inspection engines.

 

show configuration security policy from-zone AAA to-zone BBB policy Forti_Webservice

 

look for application-services utm-policy

or : application-firewall

 

https://www.juniper.net/documentation/en_US/junos/topics/example/utm-content-filtering-utm-policy-to...

 

SSL decryption is activated in the policy as well using ssl-proxy

 

https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/ssl-proxy-workflow-confi...

 

If none of these are active then the session is being permitted and not manipulated so the issue will be outside the SRX.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: TLS on https didn't reply the hello from server.

‎03-20-2018 09:33 PM

We don't use utm-policy or ssl-proxy configured on the security policy. Just simple permits the connection.

httpspolicy.PNGhttps security policy.then would be as you said, the problem might the outside of SRX.

 

SRX Services Gateway

Re: TLS on https didn't reply the hello from server.

‎03-21-2018 03:10 AM

Right there is no inspection present on this policy that would drop some packets in the stream then.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: TLS on https didn't reply the hello from server.

‎03-21-2018 05:12 PM

Thanks, the problem just solved. The host tcp traffic is encrypted by SSL. Then we use transit toward the ssl proxy server to make it able worked well.